By Doug Williams

Today CIO and CSOs are facing more and more regulations and an ever broadening compliance landscape.  Depending on the industry, such regulations might be not limited only to PCI, HIPPA, GLBA, SOX and DoD 8500.2, just to name a few. In fact, nowadays C-level executives are not concerned with the decision of whether to be compliant or not, but the question is where to spend their limited budget in such a way that makes the most impact to their business and ultimately their compliance profile.

In the past this meant hiring a team of consultants to come in and either do interviews, or conduct workshops to try to get a feel of the customer’s compliance to any particular standard or regulation.  This is a long, and sometimes costly, endeavor with no guarantee that the consultants are going to talk to the right people, or measure the right things in order to come up with the correct conclusion.  Only after this long process is done, does the CIO, or CSO, read the multi page reports in order to try to figure out where to invest their limited IT budget for that year.

There is now a better way to determine this information. When a customer deploys, installs and configures a proper IT Governance, Risk and Compliance (IT GRC) software solution, it enables them to see, with a few clicks, where their IT dollars should be best spent for the most return on their investment. IT GRC allows organizations to measure their assets, business process, or systems, with what is referred to as a security index.  With this measurement, companies are able, for example, to generate a graphical report that shows the security index of the entire organization.

Above, a report called Business Components Integration View shows the interdependency of an organization’s assets, systems, business processes, as well as how one asset’s security index can roll up and affect the overall security index of the upstream system or business processes. It also allows decision makers to easily see where IT dollars can be better spent to make most effective impact within their organization.

This kind of report gives CIO’s and CSO’s the ability to make informed decisions on where to spend their limited IT budget. Therefore if the organization had limited budget to spend to improve their security posture, the logical place to spend those dollars would be in the data center since it would yield the most results across all of the corporative scenario. However, if this organization was concerned with only assets that had been classified with a security index of “red” they could just as easily choose to focus their IT dollars on the assets of application server, IT manager, firewall and workstations.  This is but one benefit of IT GRC solutions implementation for sure.

Doug Williams is Information Security Consultant from Modulo, a leading provider of IT GRC solutions. Modulo Risk Manager™ software allows organizations to implement an effective GRC process for Risk Management, Compliance with market standards and regulations coupled with an IT Governance process.